---
layout: api
page_title: SCEP - Auth Methods - HTTP API
description: |-
  This is the API documentation for the Vault SCEP authentication
  method.
---

> [!IMPORTANT]  
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.

# SCEP auth method (API)

Use the SCEP authentication plugin API to interact with a mounted plugin
instance. For general information about the usage and operation of the
SCEP method, refer to the [Vault SCEP method documentation](/vault/docs/auth/scep).


## Create SCEP role

Creates or updates a named SCEP role.

| Method | Path                    |
|:-------|:------------------------|
| `POST` | `/auth/{mount_path}/role/:name` |

### Parameters

- `name` `(string: <required>)` - The name of the SCEP role.
- `display_name` `(string: "<name>")` - The `display_name` value for tokens
  issued when authenticating against the role. Defaults to `name`.
- `auth_type` `(enum: <required>)` - Required authentication type for the SCEP
  role. Must be one of: `static-challenge`, `intune`.
- `challenge` `(string: "")` - The authentication challenge to use when
  `auth_type` is `static-challenge`.

@include 'tokenfields.mdx'

### Sample payload

```json
{
  "auth_type": "static-challenge",
  "challenge": "super-secret-challenge",
  "display_name": "test",
  "token_policies": ["access-scep"],
  "token_type": "batch"
}
```

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json
    http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
```

### Sample response

```json
{
  "request_id": "c22d68ec-ac3d-ea24-d5d0-efe07dcc0ef6",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "auth_type": "static-challenge",
    "display_name": "test",
    "name": "static-challenge-1",
    "token_bound_cidrs": [],
    "token_explicit_max_ttl": 0,
    "token_max_ttl": 0,
    "token_no_default_policy": false,
    "token_num_uses": 0,
    "token_period": 0,
    "token_policies": [
      "access-scep"
    ],
    "token_ttl": 0,
    "token_type": "batch"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null,
  "mount_type": "scep"
}
```

## Read SCEP role

Get information associated with the named role.

| Method | Path                    |
|:-------|:------------------------|
| `GET`  | `/auth/{mount_path}/role/:name` |

### Parameters

- `name` `(string: <required>)` - The name of the SCEP role.

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
```

### Sample response

```json
{
  "request_id": "07c9bfcc-ee30-6ba9-fce8-07bae5033989",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "auth_type": "static-challenge",
    "display_name": "static-challenge-1",
    "name": "static-challenge-1",
    "token_bound_cidrs": [],
    "token_explicit_max_ttl": 0,
    "token_max_ttl": 0,
    "token_no_default_policy": false,
    "token_num_uses": 0,
    "token_period": 0,
    "token_policies": [
      "access-scep"
    ],
    "token_ttl": 0,
    "token_type": "batch"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null,
  "mount_type": "scep"
}
```

## List SCEP roles

List all currently configured SCEP role names.

| Method | Path               |
| :----- | :----------------- |
| `LIST` | `/auth/{mount_path}/role` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/auth/scep/role
```

### Sample response

```json
{
  "auth": null,
  "warnings": null,
  "wrap_info": null,
  "data": {
    "keys": ["static-challenge-1", "intune-1"]
  },
  "lease_duration": 0,
  "renewable": false,
  "lease_id": ""
}
```

## Delete SCEP role

Delete the named role.

| Method   | Path                    |
|:---------|:------------------------|
| `DELETE` | `/auth/{mount_path}/role/:name` |

### Parameters

- `name` `(string: <required>)` - The name of the SCEP role.

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
```

## Login

SCEP authentication endpoint for delegated authentication from a PKI mount.

| Method | Path               |
|:-------|:-------------------|
| `POST` | `/auth/{mount_path}/login` |

### Parameters

- `name` `(string: "")` - The SCEP role associated with the PKI mount. Leaving
  `name` unset tells Vault to try all SCEP roles and return the first one that
  matches.
